Pre-emptive cyberattacks get OK

Administration reviewing rules on how to defend against digital strikes

New York Times

Published 10:38 pm, Sunday, February 3, 2013

WASHINGTON — A secret legal review on the use of America's growing arsenal of cyberweapons has concluded that President Barack Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.

That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation's first rules for how the military can defend, or retaliate, against a major cyberattack.

New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the U.S. and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.

The rules will be highly classified, just as those governing drone strikes have been closely held. John O. Brennan, Obama's chief counterterrorism adviser and his nominee to run the Central Intelligence Agency, played a central role in developing the administration's policies regarding both drones and cyberwarfare, the two newest and most politically sensitive weapons in the U.S. arsenal.

Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow. Officials said that the new cyberpolicies had been guided by a decade of evolution in counterterrorism policy, particularly on the division of authority between the military and the intelligence agencies in deploying cyberweapons. Officials spoke on condition of anonymity because they were not authorized to talk on the record.

Under current rules, the military can openly carry out counterterrorism missions in nations where the U.S. operates under the rules of war, like Afghanistan. But the intelligence agencies have the authority to carry out clandestine drone strikes and commando raids in places like Pakistan and Yemen, which are not declared war zones.

Obama is known to have approved the use of cyberweapons only once, early in his presidency, when he ordered a series of cyberattacks against Iran's nuclear enrichment facilities. The operation began inside the Pentagon under President George W. Bush, but was taken over by the National Security Agency, the largest of the intelligence agencies, under the president's authority.

One senior U.S. official said that officials quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief. A possible exception would be in cases of narrowly targeted tactical strikes by the military, like turning off an air defense system during a conventional strike against an adversary.

"There are very, very few instances in cyberoperations in which the decision will be made at a level below the president," the official said. That means the administration has ruled out the use of "automatic" retaliation if a cyberattack on America's infrastructure is detected.

While the rules have been in development for more than two years, they are coming out at a time of greatly increased cyberattacks on U.S. companies and critical infrastructure.

"While this is all described in neutral terms — what are we going to do about cyberattacks — the underlying question is, 'What are we going to do about China?'" said Richard Falkenrath, a senior fellow at the Council on Foreign Relations. "There's a lot of signaling going on between the two countries on this subject."

The implications of pre-emption in cyberwar were specifically analyzed at length in writing the new rules. One major issue involved in the administration's review, according to one official involved, was defining "what constitutes reasonable and proportionate force" in halting or retaliating against a cyberattack.

During the attacks on Iran's facilities, which the U.S. never acknowledged, Obama insisted that cyberweapons be targeted narrowly, so that they did not affect hospitals or power supplies. Obama frequently voiced concerns that America's use of cyberweapons could be used by others as justification for attacks on the U.S.

The U.S. effort was exposed when the cyberweapon leaked out of the Iranian center that was attacked, and the code replicated millions of times on the Internet.

Under the new guidelines, the Pentagon would not be involved in defending against ordinary cyberattacks on U.S. companies or individuals. Domestically, that responsibility falls to the Department of Homeland Security, and investigations of cyberattacks or theft are carried out by the FBI.

But the military, barred from actions within the U.S. without a presidential order, would become involved in cases of a major cyberattack within the U.S.